Webster defines security as, the quality or state of being free from risk of loss and that measures [are] taken to guard against espionage or sabotage, crime, attack or escape.
While there are many other definitions of security, security really boils down to defining what you are looking to protect. Security and its importance in today's society are becoming more and more apparent. With loss of laptops, cell phones and network security breaches appearing in today's headlines, you would think protecting company assets and your own personal information would be top priority for information security professionals. Unfortunately, real life situations prove otherwise.
Now, I have to believe that security individuals are a smart bunch during their day jobs! I cannot believe that they lose all sense of security practice just because during the first night at the vendor's reception they consumed free beer causing them to wake up the following morning with all good judgment lost.
Observation #1
While attending a class at a large security conference, the instructor was interrupted and given a document to read aloud. The instructor exclaimed, "A laptop was stolen from one of the classrooms this morning." Let me remind you I was sitting in a classroom with approximately 50 security experts at a security conference. The next few minutes were spent discussing the incident and what appropriate preventative measures are needed to protect both the laptop and the information stored on the hard drive. In my observation, about half the individuals had their laptops open on the desk in front of them and many of the others had their laptops tucked away in bags next to the desks. The irony of this situation is I counted five laptop locks actively engaged after the stolen laptop discussion.
The following morning, I again counted five laptop locks that were actively engaged and noticed one individual that would now carry his laptop around with him whenever he left his seat. That afternoon, the instructor was again interrupted and made an announcement that the individual responsible for the laptop theft was caught trying to steal another laptop.
Unbelievably, even after the second attempted laptop theft, I still observed five laptop locks actively engaged! The sad truth is, security is not taken seriously enough and the prevailing attitude is "it cannot happen to me." Well it did happen to someone that week, a security professional! Although this was the only incident we as a class was made aware of, I cannot help but wonder what other proprietary company and personal information was lost that week?
Observation #2
Early the next morning, I got up and made my way down to the conference's internet café. Within a few minutes, I was joined by other early risers. It caught my attention that one individual donned a microphone headset. I knew this was going to be interesting because at that time of the morning the internet café was as quiet as the local library.
Then after a few seconds in a booming voice, "Hello, Mike. How are you this morning? I am here at a security conference all week. I want to talk to you about the overseas development factory problems and the next version of software being released."
This conversation went on for close to 40 minutes and the individual was completely oblivious to the number of individuals that could hear his conversation. He obviously did not understand the amount of privileged company information he was freely sharing that morning. I hope for the sake of that individual that a corporate rival was not in the room recording the conversation hoping for that juicy tidbit of competitive information.
Observation #3
The hotel offered free wireless internet access to all conference attendees. Free wireless internet access is like free vendor t-shirts, you cannot have too much of either. Remember, this is a security conference covering all facets of information and network security - hacking, auditing and network penetration techniques. Everyone was warned by the conference host that any individual caught hacking would be escorted from the conference immediately. For some individuals, they take that warning as a personal affront to their "security prowess" and will run, let's say technical and social research experiments against their fellow conference attendees. Now with that said, I was talking to an individual during our morning class break and the individual commented, "Last night I tried to connect to the free wireless with no success. So I scanned to see what other wireless access points were available and I tried to connect to them and finally succeeded in getting on the internet to read my email."
The look on the individual's face was priceless (I just wish I had my camera) when I proceeded to explain why what they did was foolish and their laptop could be compromised and any information that was both privileged and personal could now be in someone else's hands.
Conclusion
Over all the conference was a success and all my learning goals were met. I learned as much through listening and observing outside of class, participating in the many group discussions on timely security topics, and as I did in class listening to the instructor. Security professionals even away from home have to be continually diligent and aware of their security practices. Just because they are attending a security conference does not give them any excuses for not practicing what they preach. Protecting your company's assets and your personal information needs to be your top priority. Security professionals have to be held to higher standards. Do not forget this the next time you are in the company of your peers.
- Randall Durfy, CISSP, Network+, is an IT professional for a software and professional staffing company based in Detroit.